Using OWSM UsernameToken for authentication and authorisation of OSB services

09Aug

With the use of Oracle Web Service Manager (OWSM) we can easily configure Oracle Service Bus (OSB) services with different message security polices. This configuration can be done from Eclipse (OEPE), OSB SBConsole or the Enterprise Manager. One of the most common WS-Security mechanismes and therefor also OWSM policies is the UsernameToken where a username and password are send along with the message.

In this blog we will:

part I: how to enable authentication of users against the list of all known users

part II: how to enable authorisation of only a specific subset of users to access a service

First we configure a proxy service in OEPE with the OWSM UsernameToken policy oracle/wss_username_token_service_policy:

And make sure we process the WS-Security header:

After deployment we call the service with a request that is missing the WS-Security to test the result.

So part 1 is complete, we succesfully implemented a proxy service that requires a WS-Security UsernameToken and authenticates these users against the Weblogic security realm. But in our case we have a tight security requirement and need to make sure the user is not only authenticated, but also authorized to access this specific service.

The result from part 1 means this is not the case, both userA and userB would be able to access this service. So let’s start part 2 where we will limit the access to the proxy service to only userB. For this we have to login to the sbconsole, since the OEPE does not allow you to make Message (or Transport) Access Control settings.

Login the sbconsole

Select Project Explorer

Select the the proxy service

Go to the Security Tab

Click on Message Access Control option (either for the whole service or just a single operation).

Click on Add Condition

Select User from predicate list

Type userB at the User Argument Name

Click on Add and Finish

Click on Save and Activate to finish the OSB session

Next thing we can call the service again and this time with userB and we still receive a succesfull result.

However if we call the service again with a UsernameToken containing userA we get the following SoapFault:

Part 2 is completed and we finished with a proxy service that has both Authentication and Authorization enabled.

Remarks:

You can also use groups and roles (rather than users) to authorize access to services.

If you implement and configure an external LDAP (like Oracle Internet Directory) in Weblogic you can control ACL with groups central in your company LDAP instead of in each Weblogic security realm.

The SOAP fault for Message Level Authorization denied (BEA-386102) contains a faultcode value of “Server” which is not correct if you look at the w3c definition. This should be the value “Client” because: “….. the message could lack the proper authentication or payment information. It is generally an indication that the message should not be resent without change”

Update 2011-08-10:Added 3rd remark regarding the SOAP Fault code

Update 2012-01-13:
Using the OWSM username token policies you get some additional information on runtime in you $inbound variable. See this blogpost for more details.References:

Hi Derrick, I haven’t worked with the gateway in OWSM 10. However Oracle Support knowledge base has a article (ID 882229.1) stating Oracle Web Services Manager 11g does not provide the functionality to have a Gateway like OWSM 10g did. The article even mentions advise regarding using products from other vendors, like Vordel / Layer7 / etc. So it’s probably outdated before Oracle made the deal with Vordel to license/resell Vordel XML Gateway as Oracle Enterprise Gateway.

Thanks for the link to the OWSM doc. My team had a meeting with our local Oracle Sales Rep yesterday regarding OWSM 11g and Oracle Enterprise Gateway (OEG) which has a lot of the Policy Enforcement Point features that was previously in OWSM 10g. OEG serves as avXML firewall at the DMZ level.

By the way this is a great blog. Forgot to mention that in my previous post, I definitely appreciate your time/effort you have put into this blog great stuff.

Your welcome. I’ve worked with the Vordel XMLGateway hardware compliance a while back. Was really impressed by the stability and high load capacity of the product under maximum production load. If my understanding was correctly this product is identically sold now as Oracle OEG. Some sort of reselling license deal I guess until Oracle buys Vordel.
And thank you for your kind words, really appreciate it. Always hope that my posts help in one way or another. :)

Aswin PS

12-03-2012 at 10:23

jvzoggel
i have an osb proxy secured with wss usertoken service policy, i need the header with tokens in message flow,but after the authentication the header becomes empty
is there any way to retrieve the header in message flow,i need both username and password(cleartext)

jvzoggel
Thanks for your post. I tired to do it to test authentication and authorization. But when i goto Proxy Service -> security tab and clicking Service Name at Message Access Control. I could not see “Add Conditions” button.

I am not sure if there is some problem with domain creation. Please advise.

Hi,
I wanted to know that what is the use of WS-I compliance while configuring the proxy service and what is its significance as when this is set to yes I am not able to open the effective WSDL from the browser.Can you please help?

WS-I compliance checkbox validates that the Web Service Interoperability compliance for SOAP 1.1 services is correct on run-time.Quote:When you configure WS-I compliance for a proxy service, checks are performed on inbound request messages received by that proxy service. When you configure WS-I compliance for an invoked service, checks are performed when any proxy receives a response message from that invoked service.

If you receive errors from Service Callout or Routing the error would likely be on the backend SOAP message. Since you receive the error while retrieving the WSDL from the Proxy Service, my 1st guess would be that for some reason your WSDL is not valid ?

It’s a great blog it works fine with soap ui. Actually I was running through a lot of iterations and I am basically not using the csf-key as I am authenticating the users using openldap and that is configured on my weblogic.

Although I have faced issues using the code for “wss11_username_token_with_message_protection_policy” and then lateron just switched to “wss_username_policy” .

oracle.wsm.security.SecurityException: WSM-00069 : The security header is missing. Ensure that there is a valid security policy attached at the client side, and the policy is enabled.
at oracle.wsm.security.policy.scenario.processor.UsernameTokenProcessor.verify(UsernameTokenProcessor.java:221)
at oracle.wsm.security.policy.scenario.executor.WssUsernameTokenScenarioExecutor.receiveRequest(WssUsernameTokenScenarioExecutor.java:126)
at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:596)
at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:41)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:666)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeAndAssertion(WSPolicyRuntimeExecutor.java:342)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.execute(WSPolicyRuntimeExecutor.java:289)
at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:102)
at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:975)
at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:460)
at oracle.wsm.agent.handler.WSMEngineInvoker.handleRequest(WSMEngineInvoker.java:366)
at com.bea.wli.sb.security.wss.wsm.WsmInboundHandler.processRequest(WsmInboundHandler.java:150)
at com.bea.wli.sb.security.wss.WssHandlerImpl.doInboundRequest(WssHandlerImpl.java:223)
at com.bea.wli.sb.context.BindingLayerImpl.addRequest(BindingLayerImpl.java:289)
at com.bea.wli.sb.pipeline.MessageProcessor.processRequest(MessageProcessor.java:87)
at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:593)
at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:591)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at com.bea.wli.sb.security.WLSSecurityContextService.runAs(WLSSecurityContextService.java:55)
at com.bea.wli.sb.pipeline.RouterManager.processMessage(RouterManager.java:590)
at com.bea.wli.sb.transports.TransportManagerImpl.receiveMessage(TransportManagerImpl.java:375)
at com.bea.wli.sb.transports.http.generic.RequestHelperBase.invokePipeline(RequestHelperBase.java:179)
at com.bea.wli.sb.transports.http.wls.HttpTransportServlet$RequestHelperWLS.invokePipeline(HttpTransportServlet.java:227)
at com.bea.wli.sb.transports.http.generic.RequestHelperBase$1.run(RequestHelperBase.java:154)
at com.bea.wli.sb.transports.http.generic.RequestHelperBase$1.run(RequestHelperBase.java:152)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at com.bea.wli.sb.transports.http.generic.RequestHelperBase.securedInvoke(RequestHelperBase.java:151)
at com.bea.wli.sb.transports.http.generic.RequestHelperBase.service(RequestHelperBase.java:107)
at com.bea.wli.sb.transports.http.wls.HttpTransportServlet.service(HttpTransportServlet.java:129)
at weblogic.servlet.FutureResponseServlet.service(FutureResponseServlet.java:24)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:183)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3717)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)

Actually I just noticed on Jdev the plain “oracle/wss_username_token_service_policy” works fine just that it does not like to work with Netbeans . I need a way to figure out for that to work and if not then I will just use JDev. Meanwhile will again try “wss11_username_token_with_message_protection_client_policy”.

Hi,
I would like to thank you for your blog, i’m using OSB 10g and would like to implement authentication and authorisation of OSB Proxy services, i would like to use OWSM 10g (I will migrate next year), what is the best architecture that i can use ?
Can i install OWSM on OSB 10g for that issue ?

Hi Jan,
I have used the same oracle/wss_username_token_service_policy with my proxy and managed to get it to work successfully, however this policy passes password as clear text, is it possible to pass the password as encrypted??

Second question: I tried to delete the password element from my security header and the proxy still works fine, the only time it wont work is when I do not pass the username as well. Is this the expected behaviour?

If this policy is not suitable, then as we need a username/password(encrypted) policy which one do you recommend? Pleae reply.

I have a different scenario, my backend code( EJB exposed as web services that has usertokename policy) and it is running on separate weblogic server. If I run OSB and my backend code EJB on same weblogic, then this approach will work without any issues.

But, if I keep them separate(which I have to), OSB in weblogic1 and EJB on weblogic2, this OWSM is not working. I am not able to consume the EJB that has usernametoken policy attached to it.

In OSB 12c, I see the WLS policies are deprecated, we are now upgrading from 11g to 12c for OSB. In 11g, both WebLogic security policies and OWSM policies were supported on Oracle Service Bus. As of 11g (11.1.1.7), WebLogic Security policies were deprecated, and are not supported in 12c (12.1.3). Because WebLogic security policies were available in 11g, deployment of the OWSM Policy Manager and use of the OWSM policies was optional. Since only OWSM policies are supported in 12c, OWSM Policy Manager deployment is mandatory. In my current domain which is on 11g, proxy services are using the WebLogic security policies on wsdl based proxy services, now have to deselect the WebLogic security policies from the proxy service and have to use OWSM policy, Please suggest how it can be done using WLST scripting/customization changes or any other approach in 12c, have to apply the changes on many web service based proxy services.